Most recently, Avast's mobile threat team has collaborated with researchers from ESET and SfyLabs to study the new version of BankBot, a malicious mobile banking program that has been repeatedly deployed on Google Play this year, targeting the applications of large banks, including WellsFargo, Chase, DiBa and Citibank and their users in the US, Australia, Germany, the Netherlands, France, Poland, Spain, Portugal, Turkey, Greece, the Dominican Republic, Singapore and the Philippines.
The new version of BankBot is hidden in applications, which first of all were flash applications Tornado FlashLight, Lamp For DarkNess and Sea FlashLight. In the second campaign BankBot, called Mazar and Red Alert. However, instead of covering the dark corners, bringing joy and convenience to the lives of their users, the dark intentions of these applications, including spying on users, collecting their data to enter a mobile bank and stealing their money.
Google previously deleted old versions of applications that support BankBot from the PlayMarket within a few days. However, several versions remained active until November 17. It was long enough, and applications could infect thousands of users.
Google thoroughly checks all applications, order in PlayMarket for the introduction of malicious software. To work around the automatic verification of Google. They triggered fraudulent activity two hours after the user gave the device administrator rights to the application. In addition, they published applications under different developer accounts, which is a common technique used to bypass Google's checks.
Once the applications are downloaded, the malicious program is activated. It checks which applications on the list of 160 items are installed on the infected device. This list includes applications from Wells Fargo and Chase in the US, Credit Agricole in France, Santander in Spain, Commerzbank in Germany and many others from around the world.
After installation, BankBot acts as usual for mobile banks. When a user opens a banking application, the virus displays a fake login form and password. The entered data was sent to the attackers and used for unauthorized access to the victim's bank account.
How can you protect yourself from mobile banking Trojans? We recommend to take the following steps:
- Guarantee that the application you are using is a true banking application. If the interface looks unfamiliar, you should make a double check with the specialists of the bank's customer service department.
- Use two-factor authentication if your bank offers it as an option.
- Disable the ability to download applications from unknown sources. So you will be safe from this type of banking Trojans activated on your phone.
- Before downloading a new application, check its rating from users. If other users complain about the poor performance of the application, this may be the reason not to install it.
- Note the permissions that the application requests. If the torch application requests access to your contacts, photos and multimedia files, consider this as a "red flag". Often, malware to obtain complete control.
- Use proven security applications and antivirus software that detects and protects you from BankBot.